I am trying to create a correlation rule which is set up as follows;
Filters -> Sig ID(in) 43-263046630, Access_privileges(in) , source user(in) [Admin groups]
This is to display when the windows event for a file being deleted by an admin, where the file was and the machine ID.
However it displays different results to when I create a filter on the dashboard.
The filter gives me the host ID, source user, destination filename and that it has been deleted on Custom Types
The correlation rule only gives me the client id and that the rile has been removed.
But with both, the views on 'Details' and 'Custom types' are giving me different info too along with neither of them displaying the same IPs.
Is it possible to get a screenshot. From the sounds of it, the correlation rule filters sound like they are on their own line, which would translate to two separate events matching two different filters, whereas the filter from the dashboard is two filters for each event.
As for the IP Address not being the same, if you are searching for two separate events, there is a group by option at the top, that let's you bind events based on the specific fields you need to match against.
Hope this helps.
Unfortunately no screenshots as it's on a closed network.
The filter looks like;
Signature ID = 43-263046630
Access_Privileges = 1537
Source User = admin
The correlation reads;
Filters -> Signature ID (In) [43-263046630], Access_Privileges(In) , Source User (In) [Various admin groups AND 'admin']
Are the filters and Correlation rules not applied globally?
Oh, I thought it was
this AND that AND that = result.
(As per the guide 'NOTE: Select AND because there are two types of actions that need to occur (logon tries first, then a successful logon).'
Could you please advise on how to create the rule to display when ever an Admin account deletes a file or if you know of any solid documentation that can help out. The guide (Link below) doesn't offer much help for me.
Apologies, for not responding sooner.
I do not know of any good documentation on my side for building correlations, there may be some here in the community, unfortunately I have not spent a terrible amount of time seeing what's out here.
You would drag a single filter component, and specify your logic there. I don't have a file deleted event in front of me to give the exact details, however the event subtype in the example below may be questionable.
What this says is match a single event, with the signature ID of 1 (replace this with the object deleted signature ID), and source user is in watchlist (create an ldap based dynamic watchlist and query your administrative accounts), and the event subtype field needs to be specific to the object deleted subtype (if it exists beyond informational, or specify the field found in custom subtypes that indicates it is deleted)
If you need to setup correlation for when multiple items are deleted by a single user before alerting, then you would add the group by logic, and add an and gate like such. The below example would trigger when the same Source User deleted 10 files in an hour.
Hope this helps out